The problem is that this should always be coming from $_REQUEST['HTTP_MODAUTH'] via the connectors. This not being sent in the AJAX request is the real problem here. Agreed Fi1osof?
Quote from: opengeek at Sep 11, 2013, 02:15 PMThe problem is that this should always be coming from $_REQUEST['HTTP_MODAUTH'] via the connectors. This not being sent in the AJAX request is the real problem here. Agreed Fi1osof?
Not $_REQUEST['HTTP_MODAUTH']. $_REQUEST - it`s POST or GET (you know). $_SERVER['HTTP_MODAUTH'] (it`s create from request headers (not request params)).
-
- 35 Posts
Hi, I have the same problem (access denied) when I try to update gallery image details. Modx version 2.2.9
-
- 35 Posts
Yes. It resolved document saving problem, but there is still problem with gallery image description.
Quote from: pawelmil at Sep 12, 2013, 10:04 AMYes. It resolved document saving problem, but there is still problem with gallery image description.
So, you need insert $_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key')); in image updating connector.
My understanding is that all AJAX requests MUST send the valid HTTP_MODAUTH in the $_REQUEST object. This is CSRF protection. What you are doing Fi1osof, is forcing it to be correct in the connectors via the $_SERVER reference to it. This should never occur.
Quote from: opengeek at Sep 12, 2013, 01:24 PMMy understanding is that all AJAX requests MUST send the valid HTTP_MODAUTH in the $_REQUEST object. This is CSRF protection. What you are doing Fi1osof, is forcing it to be correct in the connectors via the $_SERVER reference to it. This should never occur.
It`s not my idea. It`s was in base. Have a look:
https://github.com/modxcms/revolution/blob/release-2.2/connectors/layout/modx.config.js.php#L8
And this not in all of connectors. But now for correct checking required both of $_SERVER['HTTP_MODAUTH'] and $_REQUEST['HTTP_MODAUTH'] See:
https://github.com/modxcms/revolution/blob/release-2.2/core/model/modx/modconnectorresponse.class.php#L99
Read line 99 again...it does not require both SERVER and REQUEST. It's one or the other. The ones that set this in the connector are exceptions.
Quote from: opengeek at Sep 12, 2013, 01:52 PMRead line 99 again...it does not require both SERVER and REQUEST. It's one or the other. The ones that set this in the connector are exceptions.
You really sure? ;-)
if (!$isLogin && !isset($_SERVER['HTTP_MODAUTH']) && (!isset($_REQUEST['HTTP_MODAUTH']) || empty($_REQUEST['HTTP_MODAUTH']))) {
If !$isLogin (true, cause it`s not login action), AND !isset($_SERVER['HTTP_MODAUTH']) (true, cause request header modAuth was not sent) AND empty($_REQUEST['HTTP_MODAUTH']) (true cause $_REQUEST['HTTP_MODAUTH'] == 0)
Then: return Access denied.